# Gatekeeper Approved Apps

## Overview

**Evidence:** Gatekeeper Approved Apps\
**Description:** Collect Gatekeeper apps allowed to run\
**Category:** System\
**Platform:** macos\
**Short Name:** gatekapp\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Gatekeeper approved apps list shows binaries allowed to run by Gatekeeper exceptions. This data is essential for understanding application allow-listing and detecting unauthorized approvals.

## Data Collected

This collector gathers structured data about gatekeeper approved apps.

### Gatekeeper Approved Apps Data

| Field              | Description       | Example                   |
| ------------------ | ----------------- | ------------------------- |
| `Path`             | Path              | Example value             |
| `Requirement`      | Requirement       | Example value             |
| `CTime`            | C Time            | 123                       |
| `MTime`            | M Time            | 123                       |
| `LastChangeTime`   | Last Change Time  | 2023-10-15 14:30:25+03:00 |
| `ModificationTime` | Modification Time | 2023-10-15 14:30:25+03:00 |

## Collection Method

This collector queries the `gatekeeper_approved_apps` table via osquery and records results into `gatekeeper_apps`.

## Forensic Value

This evidence is crucial for forensic investigations as it highlights exceptions and approvals that may indicate policy bypass or persistence via whitelisted binaries.